Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive the implications from President Trump’s tweet on Friday, August 17th about quarterly financial reporting by public companies.

Some of the highlights from this podcast are:

  1. What was the reason behind the tweet?
  2. Is this simply an attempt to require less transparency in financial reporting?
  3. Would a longer financial reporting cycle allow companies to plan to the longer term?
  4. Would this negatively impact short-sellers?

We unpack of all these points and consider the SEC’s response going forward.

For more reading: see Wall Street Journal Article, “The End of Quarterly Reporting? Not Much to Cheer About”.

See NYT Dealbook article, “Trump Asks S.E.C. to Study Quarterly Earnings Requirements for Public Firms”.

In this special five-podcasts series, Matt Kelly and I have been exploring the future of internal audit (IA), compliance and analytics. In the final episode, Part V, we discuss how IA can get started and provide some concluding remarks. We consider whether the technology is here today to implement the suggestions put forward this week. Can (or perhaps should) a company outsource internal control testing or internally develop a tool for analytics? We consider some of the biggest obstacles audit leaders cite for moving forward; lack of resources, business complexity, and lack of staff and how the Chief Compliance Officer (CCO) can aid IA in this evolution. We conclude with some thoughts that to succeed, an organization should know its objectives, get good data and think in terms of harnessing and channeling risk, rather than fulfilling compliance.

It begins with complete and accurate reports and all of the financial data present. You must begin with complete and accurate list of data. You need to think all of this through at the beginning and have strong internal controls around it because without good data you get bad data, which leads to bad internal controls and this leads to bad conclusions. From that point, Kelly noted, “everything we have talked about here goes out the window because it started with a bad foundation.”

From there it moves to the analytics. Fortunately there are multiple vendors which currently provide those types of products which have some type of data analytics capabilities. For instance, they exist in the gift, travel and entertainment (GTE) database space, third party management platforms and hotline reporting tools. The key is to have a central repository of data that you can trust, that is validated and tamper-proof. The next step is to extract the data out from its respective repositories with an analytics tool and present the data in a visualization tool.

The next requirement is staff. Right now (and for the foreseeable future) data analytics professionals can write their own tickets. So this may be a problem for startups or smaller companies. However, larger companies may have business analysts who could fill this role. Kelly said that you could potentially pair them with IA to perform analysis projects. IA are going to know how to audit and what questions to ask, however they may not know how to get the visualization and the analytics done well and that is where the business analysts come in.

The pairing of a subject matter expert (SME) with IA can also work. Kelly pointed to the example from the Cleveland Clinic where the Chief Integrity Officer, Don Sinko, has had success using employees from the nursing staff as they know the operations inside and out and when you pair them with an internal auditor it “creates a nucleus of operational knowledge.” Other examples are banks which use employees from the customer care centers because they have the greatest knowledge of the company’s problems.

Another key issue which Kelly pointed to was does the company truly understand its objectives? He stated, “What are the actual objectives? Does everybody know them? Does everybody know which one is ranked number one and which one is ranked two, three and four? You really need to think through this is what we want to achieve.” From there you should ask what are the risks that might prevent us from achieving these objectives? The next step is to then reverse engineer what business process controls are to minimize that is going wrong. Kelly said another way to consider it is that “you need to manage the risk and actually the more technical school of thought out there is, it’s an objective based risk management is what you need. What are my objectives? What are the risks to achieving them? How do I reduce those risks?” The implicit assumption is the business knows what its objectives are and which ones are more important than others.

The IA evolution that we have explored over this five-part series follows what I see as the evolution of compliance where it went from a paper program to doing compliance to operationalizing compliance and beyond that now. IA, compliance and a wide variety of other corporate disciplines really need to change their thinking about risk and looking at risk as not only an opportunity to harness and channel but also to more nimbly manage that risk going forward, not simply just fulfilling some legal compliance. Kelly added some thoughts from the compliance realm, which is that “many compliance officers’ wince at the idea of compliance as a bolt on addition which you engage in only at the end of the business process.” This outdated definition of the corporate compliance function, “is a drag at the end of the otherwise aerodynamic operation. It slows everything down and you don’t want that. You want compliance embedded throughout the whole organization and smart ethical conduct all the way through.”

This has a similar dynamic with IA because historically IA would do a financial statement audit and it would be bolt on because you only do the annual audit once a year. It was performed and completed after the end of the fiscal year. Now we are moving beyond this as Boards of Directors need more assurance on more risks. They need to know that risk is governed and it is governed all the way through from the risk management cycle.

Now overlay the same dynamic with the compliance function. As Kelly noted, “we’re talking about risk monitoring and internal audit as opposed to ethics and compliance and the compliance function. This is where internal audit needs to get to because this is where business processes are moving to. All information is becoming datafiedand you are able to monitor this data.” Kelly added a visualization when he said, “You are able to analyze when something drifts out of the Green Zone and into the Red Zone.” Kelly believes this is where we are headed and closed by stating, “I think we can probably get there, but there’s no reason why we cannot do so. With  some good thinking and good use of technology now, there is no reason why you could not start your organization on that path right away.”

Jay is on an Alaskan Disney cruise with the family. Through the prism of Trump’s attacks on the US free press and their robust response, Tom takes a solo look at some of the top compliance stories from the past week. Jay returns next week.

  1. What is the role of a free press in the fight against bribery and corruption? I explore in an article for Compliance Week (Sub req’d)
  2. In his final column at the Wall Street Journal, Ben DiPietro, writes about how social activism prioritizes push for integrity, inclusion. In the WSJ Risk and Compliance Journal.
  3. Where is the Tesla board of directors? The SEC has issued a subpoena to them. Tom discusses in the FCPA Compliance Blog. Emily Glazer reports in the WSJ. More on the infamous ‘funding secured’ tweet on Compliance Week. (Sub req’d)
  4. Why is it stupid to become to the US to (1) demand and (2) accept a bribe? Sam Rubenfeld expains in the WSJ Risk and Compliance Journal.
  5. Is the UK pushing back on US jurisdictional outreach? Evan Norris and Alma M. Mozetic pose this question in NYU’s Compliance and Enforcement blog.
  6. Valerie Charles says to consider the new FCPA Corporate Enforcement Policy from the compliance program perspective. In this month’s SCCE Magazine.
  7. Would a no-deal Brexit be a disaster for compliance? Paul Hodgson reports in Compliance Week. (sub req’d)
  8. Maurice Gilbert interviews Moore & Van Allen’s Valecia McDowell on compliance, leadership and promotion to the firm’s management committee. On CCI’s, Connected.
  9. The scandal at Maryland around the death of Jordan McNair deepens. The Trainer resigns, the University accepts responsibility and his parents call for the firing of the head coach. See coverage in Sports Illustrated and ESPN.
  10. The number of podcasts on the Compliance Podcasting Network has now reached the 1000 podcast milestone next week. To celebrate, running each week in August I am running a week-long special series as a tribute. This week it has been a series on the the future of audit, compliance and analytics. Next week it will be a series on ethical culture, what it means, how to measure and assess it and how to drive it. You can download the entire series next Monday at noon, on iTunes. The series will post daily at 10 AM on the Compliance Podcast Network.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part IV, we consider the new relationships which can be created based upon the evolution of IA. These changes will allow IA to work more closely with 1stand 2nd lines of defense. However, how does your organization prepare for that empowered audit function? Finally, we will consider corporate culture and ask if analytics and monitoring can drive behavior even more forcefully than ethics?

Typically, IA is thought of a part of the Third Line of Defense. However, through the use greater use of analytics, IA can move closer to the second or first line of defense or at least work more closely with those who are traditionally seen as the first or second lines of defense. This speaks to one of Kelly’s key points, that the evolution of IA will change the relationship between audit and other functions. Kelly also said it raises in important question, “As internal audit moves towards better analytics and risk monitoring drives up the importance of strong control design,  people really need to start thinking about how to detect, how to monitor the risks that are important to my business process.”

Consider internal financial controls and the review of its effectiveness by an external auditor. In most situations bribes are funded through marketing or similar internal budgetary items. An external auditor will only consider material costs so if your marketing budget is over $100,000,000,000 annually for a worldwide, multi-national, a bribe payment of even $1,000,000 hidden in marketing expenses might not be considered material. Therefore, under this IA evolution, the function would need to not only understand the company’s risk but work with the first line business process owners to “clarify what your risks really are and figure out how to manage more accurately, more closely and more effectively.”

This does not mean IA will become a new department of risk monitoring as it will always need to maintain independence and objectivity. It does mean that other corporate departments, such as compliance, should consider taking advantage of IA’s expertise to help create a control for compliance risk that can be monitored and the results quantified. By having that conversation between IA and compliance, both corporate functions can become aware of the types of controls they are using and how they can be made more efficient or even streamlined. Now imagine that conversation with other risk areas in a corporation; anti-harassment, anti-trust, anti-bidding rigging, IT security and data privacy. It is all about the operational risk for each corporate function. But the business process owner would continue to actively manage the risk.

CCOs and heads of other functional units need to be having those conversations now as Boards of Directors are starting to ask those same questions. But it comes with something along the lines of “If not, why not?” Boards see these types of conversations are improving the overall risk management process. I believe that compliance is uniquely suited to having those conversations now with IA to move the process down into the business unit to more fully operationalize the compliance function into an organization. This is certainly the approach advocated by the Department of Justice (DOJ).

Now consider a world where analytics is more prominent. If your organization is more analytics driven, how will it work in your corporate culture? Obviously, if abused or mis-used, a data driven analytics culture can also wind up being a negative place to work. In most organizations, we have seen that that which is managed or measured gets managed well. However, if you measure and manage everything, then you are micromanaging people. Everyone involved will need to consider how does this really impact the human beings who are in an organization? You should also realize that if you are managing and observing everything, what does that say about making your organization a nice place to work? Is it an interesting and challenging place to work or is it simply an organization which manages risk well? Finally, will analytics and monitoring drive behavior even more forcefully than ethics? Those are the types of conversations every company should be having now, not later.

Tomorrow we conclude with getting started and moving forward.

To celebrate the Month of 1000 podcasts I am running for each of my podcasts this month, in this episode, the Everything Compliance gang focuses on the past five years; giving a retrospective of where we were, where we are and where we are going from their own perspectives. After the commentary we follow with rants and shout outs.

  1. Matt Kelly considers how did the 2013 Internal Controls Framework and the 2016 ERM Framework change things (or not)? He notes the two Frameworks provided widely distributed information to consider compliance in a disciplined way. Matt rants on Elon Musk. 
  1. Mike Volkov explores FCPA enforcement over the past 5 years. He lists the top 3 developments: (1) the long road to the FCPA Corporate Enforcement Policy; (2) The Yates Memo and individual prosecutions and (3) The global framework, built by the DOJ and SEC for anti-corruption investigation and enforcement. Mike rants on disgraced Representative Chris Collins.
  1. Jonathan Armstrong focuses on the evolution of data privacy. Numerous actors, including legislatures, regulators, individuals and pressure groups have all influenced EU/UK policy in this area. Further as US companies have become larger and larger, EU/UK Fair Trade/anti-trust and privacy laws will be used to greater effect on these entities. Armstrong shouts out to compliance when walking one’s bovine in Norwich City.
  1. Jay Rosen considers changes in compliance from the vendor perspective. He notes that many vendors brought a business process approach to not only how law firms and investigative firms worked but also how companies approached compliance programs. Jay rants on the NFL owners attempting to stop players from exercising free speech.
  1. Tom throws in a shout out for retiring Wall Street Journal reporter Ben DiPietro, who retires from the WSJ Risk and Compliance Journal on August 14.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.